MDVSA-2010:247

Problem description

A vulnerability was discovered and corrected in the Linux 2.6 kernel:

The compat_alloc_user_space functions in include/asm/compat.h files
in the Linux kernel before 2.6.36-rc4-git2 on 64-bit platforms do
not properly allocate the userspace memory required for the 32-bit
compatibility layer, which allows local users to gain privileges by
leveraging the ability of the compat_mc_getsockopt function (aka the
MCAST_MSFILTER getsockopt support) to control a certain length value,
related to a stack pointer underflow issue, as exploited in the wild
in September 2010. (CVE-2010-3081)

The IA32 system call emulation functionality in
arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.36-rc4-git2
on the x86_64 platform does not zero extend the %eax register after
the 32-bit entry path to ptrace is used, which allows local users to
gain privileges by triggering an out-of-bounds access to the system
call table using the %rax register. NOTE: this vulnerability exists
because of a CVE-2007-4573 regression. (CVE-2010-3301)

Integer overflow in the ext4_ext_get_blocks function in
fs/ext4/extents.c in the Linux kernel before 2.6.34 allows local
users to cause a denial of service (BUG and system crash) via a
write operation on the last block of a large file, followed by a sync
operation. (CVE-2010-3015)

Additionally, the kernel has been updated to the stable version
2.6.31.14. A timeout bug in bnx2 has been fixed. Muting and unmuting
on VT1812/VT2002P now should work correctly. A fix for ACL decoding
on NFS was added. Rebooting on Dell Precision WorkStation T7400 was
corrected. Read balancing with RAID0 and RAID1 on drives larger then
2TB was also fixed. A more detailed description is available in the
package changelog and related tickets.

Thanks to Thomas Backlund and Herton Ronaldo Krzesinski for
contributions in this update.